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CLAIMS 

1. A method of providing intrusion detection (6) 
in a network (2) wherein data flows aire exchanged using 

5 associated network ports and ag^plication layer 
protocols, the method including the steps of: 

- monitoring (14) data flows in said network (2), 

- detecting (16) information on said application 
layer protocols involved in said mond_tored data flows; 

10 and 

providing intrusion detection (18) on said 
monitored data flows based on a_pplication layer 
protocols detected . 

2. The method of claim 1, characterized in that 
15 said intrusion detection is provided independently of 

any predefined association between said network ports 
and said application layer protocols. 

3. The method of claim 1, characterized in that 
said step of detecting (16) informati-on on application 

20 layer protocols includes passive observation (14) of 
network traffic. 

4. The method of claim 1, characterized in that 
said step of detecting (16) informatd_on on application 
layer protocols involves using (22) signature-matching 

25 techniques. 

5. The method of claim 1, characterized in that 
said step of detecting (16) informat3_on on application 
layer protocols involved in said data flows includes 
the step of identifying (22, 26) at ILeast one protocol 

30 involved in a given data flow, 

6. The method of claim 1, characterized in that 
said step of providing intrusion detection (18) 
includes signature -based detection of misuse by 
matching at least one of a given data packet and data 

35 flow regardless of the service ports involved, based on 
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said information on application layer protocols. 

7. The method of claim 1, characterized in that it 
includes providing intrusion detection (18) based on a 
plurality of predefined sets of analysis tasks {66) and 

5 misuse signatures (68) for a plurality of said 
protocols, and includes selecting out of ssid plurality 
a set related to at least one protocol d_nvolved in a 
given data flow and at least one of the steps of : 

- performing over said data flow the selected set 
10 of analysis tasks (66) , and 

performing signature matching (22) over said 
data flow against the selected set of misuse signatures 
(68) . 

8. The method of claim 1, character* ized in that 
15 said steps of detecting information on application 

layer protocols (16) and providing intrusion detection 
(18) are performed within the same functzional module 
and employing the same functional bloc!k:s of packet 
capture (19) , preprocessing (20) and signature matching 
20 (22) . 

9. The method of claim 4, charactearized in that 
said (22) signature -matching is performed by comparing 
monitored traffic with a set of (24) protoool detection 
signatures having the following characteristics: 

25 - the set of signatures is specified in a language 

similar to the signature language used to specify 
misuse signatures in said network intrusion detection 
system, and 

each said signature specifies 3. respective 
30 protocol that is detected if the signature is 
triggered. 

10- The method of claim 9, characterrized in that 
each said signature is designed to attempt to match a 
pattern that is unique to a given protocol and at the 
35 same time is frequently used in said protoool. 
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11. The method of claim 9, characterized in that 
it includes the step of using at least one of 
signatures identifying behavior frequently present in 
server responses and signatures identifying common 

5 client request— server reply behavior . 

12. The method of claim 9, characterized in that 
it involves leaving out signatures e:xclusively matching 
a pattern in client behavior. 

13. The method of claim 1, characterized in that 
10 said step of detecting (16) information on application 

layer protocols involved in said d_ata flows involves 
characterizing and classifying data flows related to 
each server application (10) in said network (2) . 

14. The method of claim 13, characterized in that 
15 said step of characterizing and classifying data flows 

involves monitoring features out of the group 
consisting of: packet size, packet arrival times, TCP 
flags and header information. 

15- The method of claim 13, characterized in that 
20 said step of characterizing and classifying data flows 
involves classifying data flows and services into a 
number of flow classes. 

16. The method of claim 13, characterized in that 
said step of characterizing and classifying data flows 

25 involves at least one of discariminating between 
interactive and non- interactive traf f ic and identifying 
specific protocols . 

17. The method of claim 1, characterized in that 
said step of detecting information on application layer 

30 protocols (16) involved in said d<a.ta flows includes 
producing a map (3 0) of associations between 
application layer protocols and netiwork ports present 
in said network, and said step of ^^roviding intrusion 
detection (18) is performed on said associated network 

35 ports. 
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18. The method of claim 1, characterized in that 
said step of providing intrusion detection (18) based 
on said information on application ILayer protocols 
includes the steps of: 

5 - establishing a network policy (34) , and 

- generating a security event whenever a protocol 
is detected in violation of said netwoar^k policy (38) . 

19. A system for providing intrusion detection (6) 
in a network (2) wherein data flows are exchanged using 

10 associated network ports and appILication layer 
protocols, the system including: 

a monitoring module (14) configured for 
monitoring data flows in said network (2), 

- a protocol identification engine (16) configured 
15 for detecting (16) information on apx>lication layer 

protocols involved in said monitored datra flows; and 

- an intrusion detection module (3_8) designed for 
operating on said monitored data flows based on said 
information on application layer protoccDls detected . 

20 20- The system of claim 19, characterized in that 

said intrusion detection module (18) operates 
independently of any predefined association between 
said network ports and said application layer 
protocols . 

25 21. The system of claim 19, characterized in that 

said monitoring module is a module, suoh as a sniffer 
(14) , configured for passive observ^ation (14) of 
network traffic. 

22. The system of claim 19, characi^terized in that 
30 said protocol identification engine Cl6) includes a 

signature -matching feature (22) . 

23. The system of claim 19, characnterized in that 
said protocol identification engine (IS) is configured 
for detecting information on appILication layer 

35 protocols involved in said data flows by identifying 
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(22, 26) at least one protocol involved in a given data 
flow. 

24. The system of claim 19, characterized in that 
said intrusion detection mociule (18) is configured for 
5 providing intrusion detection by signature-based 
detection of misuse by matching at least one of a given 
data packet and data flow regardless of the service 
ports involved, based on said information on 
application layer protocols. 

10 25. The system of claim 19, characterized in that 

said intrusion detection mociule (18) is configured for 
providing intrusion detecticisn based on a plurality of 
predefined sets of analys±.s tasks (66) and misuse 
signatures (68) for a plurality of said protocols, said 

15 intrusion detection moduILe (18) being further 
configured for selecting ou-fc of said plurality a set 
related to at least one prcz>tocol involved in a given 
data flow and carrying out at least one of the steps 
of: 

20 - performing over said data flow the selected set 

of analysis tasks (66) , and 

performing signature matching (22) over said 
data flow against the selected set of misuse signatures 
(68) . 

25 26. The system of claim 19, characterized in that 

said protocol identif icati<on engine (16) and said 
intrusion detection module (18) are integrated to a 
common functional module anid employ a common set of 
functional blocks of packet capture (19) , preprocessing 

30 (2 0) and signature matching (22) . 

27. The system of claim 22, characterized in that 
the system is configured for performing said (22) 
signature -matching by comparting monitored traffic with 
a set of (24) protocol detec::tion signatures having the 

35 following characteristics: 
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- the set of signatures is SEDecified in a language 
similar to the signature langixage used to specify 
misuse signatures in said networHc intrusion detection 
system and 

5 - each said signature specifies a respective 

protocol that is detected iE the signature is 
triggered - 

28. The system of claim 27, characterized in that 
each said signature is designed to attempt to match a 

10 pattern that is unique to a given protocol and at the 
same time is frequently used in S3.id protocol. 

29. The system of claim 27, characterized in that 
the system is configured for using at least one of 
signatures identifying behavior frequently present in 

15 server responses and signatures identifying common 
client request— server reply behavior. 

30. The system of claim 27, characterized in that 
the system is configured for leaving out signatures 
exclusively matching a pattern in client behavior. 

20 31. The system of claim 19, characterized in that 

said protocol identification engine (16) is configured 
for detecting (16) -information on application layer 
protocols involved in said data fILows by characterizing 
and classifying data flows related to each server 

25 application (10) in said network (2) . 

32. The system of claim 31, characterized in that 
said protocol identification engine (16) is configured 
for monitoring features out of th^ group consisting of: 
packet size, packet arrival times ^ TCP flags and header 

30 . information. 

33. The system of claim 31, characterized in that 
said protocol identification engine (16) is configured 
for characterizing and classiEying data flows by 
classifying data flows and services into a number of 

35 flow classes. 
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34. The system of claim 31, characterized in that 
said protocol identification engine (16) is configured 
for characterizing and classif data by at least one 
of discriminating between interactive and non- 

5 interactive traffic and identifying specific protocols. 

35. The system of claim 2 0 characterized in that 
said protocol identification esngine (16) is configured 
for producing a map (3 0) of associations between 
application layer protocols and network ports present 

10 in said network, and said in-fcrusion detection module 
(18) provides intrusion detection on said associated 
'network ports. 

36. The system of claim 3_9, characterized in that 
said intrusion detection module (18) is configured for: 

15 - establishing a network E^olicy (34) , and 

- generating a security ^vent whenever a protocol 
is detected in violation of sad-d network policy (38) . 

37. A communication netwc^rk (2) having associated 
a system according to any of claims 19 to 36. 

20 38. A computer program product:: loadable in the memory 
of at least one computer and comprising software code 
portions for performing the steps of any of claims 1 to 
18 when the product is run on. a computer. 



